I have a fail over VPN set up between two ASA in case the p2p connection drops. I'm trying to find a way to test this with out dropping the p2p.
Any ideas on this?
I can't generate any interesting traffic as it just gets routed out the p2p link instead of the vpn tunnel.
I'm sorry to say this, but: don't. There's a famous Terry Pratchett line where someone criticises someone else's emergency recovery tests, to the effect that they always leave out the dam' emergency.
Testing DR is like that. If you don't savagely kill the thing you were planning on surviving the failure of, you'll never really know that true failure is survivable. I'm sure there are PIXOS commands to force failover (and I'm sorry that I'm not a PIXOS expert who knows them) but if you use those then declare that the test was good, you'll never know if the PIXes will properly detect failure.
So book a quiet evening, and drop the p2p. Time the failover, and the failback. Once you're confident of it, test it during the day, so you can be sure that it works properly under load. Make sure it continues to get a night-time test every month or two, and a daytime test once or twice a year. If you don't test like that, you don't really have failover capability.
You can manually failover with the "no failover active" command, entered on the active unit, or the "failover active" command, entered on the standby unit.
I ended up having a phase 2 setting wrong on one of the ASAs. The tunnel just came up on its own after I changed the setting. I didn't know they would do this, it even shows that no traffic has passed through it. Maybe keep alives? Either way, good enough for me to move on to testing the fail over.